WebApp Sec mailing list archives
Re: PHP session management
From: Matt Rohrer <matt () prognostikos com>
Date: Sun, 26 Oct 2003 13:37:31 +0100
On Sat, Oct 25, 2003 at 06:51:13PM -0400, Gavin Zuchlinski wrote:
Hi, I noticed on a server how PHP creates files in /tmp in the form sess_XXXXXXXXX to store session information (of course only readable by the apache user), but "XXXXXXXXX" is the actual session ID. If a person has a local access to a system using PHP's session management, aren't they able to hijack any session? Am I a complete moron and am missing something?
No, you're not missing anything. There's a warning about this in the manual http://ww.php.net/manual/en/ref.session.php#ini.session.save-path along with notes on how to configure PHP to avoid this problem. In general, the default configuration for session handling does not favor security. I would look at the page referenced above for configuration options that can be changed in the interest of security. I'm not aware of a canonical document describing a secure configuration for using PHP sessions, though perhaps others on the list can point you in the right direction.
Current thread:
- PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Hokkaido (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Boris Penck (Oct 27)
- Re: PHP session management weigelt (Oct 28)
- Re: PHP session management Ivan Ristic (Oct 28)
- Re: PHP session management weigelt (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)